ORACLE FORENSICS IN A NUTSHELL 25/03/2007

Transcription

1 ORACLE FORENSICS IN A NUTSHELL 25/03/2007 The aim of this paper is to summarize Oracle Forensics in a time efficient manner as follows. 1.0 Definition 2.0 Process Methodology 3.0 Core technical tasks and Techniques used 4.0 Main Sources of evidence 5.0 Legal Context 6.0 Conclusion 1.0 DEFINITION Recommended prior and supporting reading: discovery/ Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past on a system. Farmer and Venema, discovery/appendixb.html 2.0 PROCESS METHODOLOGY Principles: Process: 1. Documented processes to produce repeatable results 2. Best evidence for court i.e. analysis done on the copy 3. Chain of custody implemented to enforce evidence accountability 1. Initiate a documented timeline of computer based events 2. Identify and contain the incident 3. Back up electronic files as evidence in chain of custody 4. Recover service and deleted data 5. Collecting and sorting electronic metadata by time 6. Integrate all event information into the timeline which includes log aggregation 7. Analysis of metadata timeline 8. Detailed examination of key data at lower level 9. Document the process to make findings repeatable 10. Apply the evidence to a criminal or legal context

2 3.0 CORE TECHNICAL TASKS AND TECHNIQUES USED 1. Backing up evidence in a verifiable way using checksums, file size and timestamps. At the OS: Start netcat listener on forensic_host to capture an image #nc -l -p > /tmp/driveimage.dd Use dd to collect image and netcat to send it across the network #dd if=/dev/hda2 nc host w 3 Can check integrity using md5sum on a drive or bit image file # md5sum /dev/hda1 In the DB: 1. RMAN 2. Full logical export $ORACLE_HOME/exp "sys/password as sysdba" full=y file=export.dmp 3. Cold backup ~ offline cp /oracle/oradata/sid/*.dbf /oracle/oradata/clone/ cp /oracle/oradata/sid/*.log /oracle/oradata/clone/ cp /oracle/oradata/sid/*.ctl /oracle/oradata/clone/ 4. Hot backup ~ online alter tablespace data begin backup alter database backup controlfile to c:\backupcontrolfile.bak 5. Verify dbv file=c:\oracle\datafile.bak logfile=c:\dbverifylog

3 2. Recovering deleted data such as that which an attacker may have attempted to hide. At the OS: To recover deleted files from Linux OS. This script requires installation of The Coroners Toolkit from # ils rf linux-ext2 /evidence/driveimage.img \ awk F ($2== f {print $1} \ while read i; \ do /usr/local/src/sleuthkit/bin/icat -f linux-ext2 \ /evidence/driveimage.img $i > \ /deletedfiles/$i; \ Done Foremost will carve out files based on their headers. #foremost -v -c foremost.conf ext2binarycopy.dd At the DB: Flashback select ora_rowscn, name from sys.user$; SELECT To_Char(TIME_DP, dd/mm/yyyy hh24:mi:ss, SCN_BAS FROM SYS.SMON_SCN_TIME; FLASHBACK TABLE SQUIRRELPATCH TO SCN ; Redo Logs using LogMiner

4 3. In depth data analysis entailing lower level inspection of data than normal At the OS Hexedit, WinHex forensic version Ethereal hexadecimal network packet analyzer, Ultra-Edit binary editor. DUDE or JDUL allows examination of Oracle datafiles that would not normally be possible Can use BBED or directly analyse the dbf s themselves. -of-each-row/ At the DB Oradebug see UG.html Ian Redfern s TNS protocol analysis Pete Finnigan s PLSQL unwrapping All of the above allow the analyst to understand what is happening in Oracle which is required to be able to make judgements about electronic evidence with a high level of certainty. In terms of analysing the actions of an attacker a good understanding of Oracle attacks is crucial therefore the Oracle Hacker s Handbook would be a good read so that the forensics analyst knows what to look for.

5 4. Timeline analysis by placing evidence on a timeline to show order of past events. At the OS and at the DB! Create a body file using this command. # fls -f linux-ext2 -m / -r /driveimage.img > /driveimage.fls Other datafile s can be parsed into the body file. Then use mactime perl script to sort the entries by timestamp. Mactime is part of the Sleuthkit. # mactime -b /bodyfile/body.mac >/bodyfile/body.all MACtimes = Modified, Accessed and Changed times. Problem is that the timestamps could have been changed therefore need to keep logs off the server being protected on a secure central loghost. This can be done more easily with Oracle now by utilising its SYSLOG functionality. ALTER SYSTEM SET audit_trail=os SCOPE=SPFILE; SQL> ALTER SYSTEM SET audit_syslog_level='user.alert' SCOPE=SPFILE; System altered. Syslogger download Installing the remote syslog host using these links. vi /etc/syslog.conf and configure syslog as normal. Place the sources of evidence from the next section onto the Depository loghost along with the SYSLOG basic Oracle audit and then create a timeline using external tables to query the logs using one SQL VIEW which uses TIMESTAMP as both foreign and primary key. It will be useful to measure TIMESTAMP to a higher decimal place precision so that the primary key timestamps stay unique. This is an example of mapping a listener logfile to db table for SQL. create directory LISTENERDIR as '/u01/app/oracle/oracle/product/10.2.0/db_4/network/log' / create table listenerlog ( logtime1 timestamp, connect1 varchar2(300, protocol1 varchar2(300, action1 varchar2(15, service1 varchar2(15, return1 number(10 organization external ( type oracle_loader default directory LISTENERDIR access parameters ( records delimited by newline nobadfile nologfile nodiscardfile fields terminated by "*" lrtrim missing field values are null (

6 logtime1 char(30 date_format date mask "DD-MON-YYYY HH24:MI:SS", connect1, protocol1, action1, service1, return1 location ('listener.log' reject limit unlimited / Marcus Ranum and Tina Birds site at is good for log analysis. Time synchronisation is key to the accuracy of timelines created. Refer to for more detail. For detailed information on creating a Depository consult my Oracle Forensics book from and this URL in the future MAIN SOURCES OF EVIDENCE 1. Listener log logs connections to the listener, use lsnrctl to administrate it. Can be found in /u01/app/oracle/oracle/product/10.2.0/db_4/network/listener.log 2. Alert log system alerts important to DB e.g processes starting and stopping. Can be found in /u01/app/oracle/admin/orcl/bdump 3. Sqlnet.log some failed connection attempts such as Fatal NI connect error Redo logs - current changes that have not been checkpointed into the datafiles (.dbf. /u01/app/oracle/oradata/orcl/redo02.log /u01/app/oracle/oradata/orcl/redo01.log /u01/app/oracle/oradata/orcl/redo03.log 5. Archived redo logs previous redo logs that can be applied to bring back the data in the db to a previous state using SCN as the main sequential identifier. This can be mapped to timestamp. 6. Fine-Grained Auditing audit logs viewable from FGA_LOG$ and DBA_FGA_AUDIT_TRAIL VIEW. 7. Oracle database audit SYS.AUD$ table and DBA_AUDIT_TRAIL VIEW. 8. Oracle mandatory and OS audit /u01/app/oracle/admin/orcl/adump 9. Home-made trigger audit trails - bespoke to the system. 10. Agntsrvc.log contains logs about the Oracle Intelligent agent. 11. IDS, Web server and firewall logs should also be integrated to the incident handling timeline. This will rely heavily on well synchronised time in the network as previously mentioned.

7 5.0 LEGAL CONTEXT The experience passed on to me by Forensic expert witnesses is that the main challenge lies in translating the technicalities of an analysis to the level of understanding held by the court officials and jury. This can be overcome by use of demonstrations and simplified examples. The other main challenge is placing the evidence and analysis results correctly in their legal context which requires the collaboration of legal and technical minds. The more that each know of the two subject areas the more effective this collaboration, therefore below are listed the main laws and standards that will affect Oracle Forensics cases in the future in the US. Computer Fraud and Abuse Act, 18 U.S.C Network Crimes Wiretap Act, 18 U.S.C Wiretapping and Snooping Privacy Act, 18 U.S.C Electronic Communications Sarbanes Oxley section 404 enforce financial standards to limit chance of fraud. HIPAA see Oracle Privacy Auditing Donald Burleson & Arup Nanda. - oracle.com/bp/bp_book11_audit.htm and Fair Credit Reporting Act (FCRA limits use and distributio n of personal data, and allows consumers to access the information held about them, though it only applies to information primarily used to make eligibility determinations Graham Leach Billey - requires disclosure of privacy policies to customers and financial standards in general. These policies should restrict the passing on a non-public personal information and requires this information to be safeguarded. Financial Anti-Terrorism Act (H.R of 2001 as part of the Patriot Act. Basel II Stipulates a relationship between the risk assessed for a bank and the amount of capital that needs to be set aside to balance that risk. Therefore Basel II provides a financial incentive for banks to reduce risk. SB 1386 California Data Breach act New York Data Breach act NY version of SB1386 PCI Credit card security standard requires installation of patches Install relevant security patches within one month of release. Also should be encrypted credit card details in the db. Data protection act 1998 UK and similar acts globally as referenced by the Safe Harbor Act Expert legal advice can be sought from CONCLUSION This paper has summarized the field of Oracle Forensics to give a time efficient overview of the subject. For a more in-depth description then Oracle Forensics by the Author Paul M. Wright should be consulted along with this website Feedback to [email protected] The paper will be updated over time at